Using firebase Idtoken instead of custom token without compromising security - firebase

I have following use cases:
I have cloud functions which are accessible with HTTP endpoint and they use authorization using custom token because the app is only accessible with certain IPs stored in RTDB so I have created one cloud function with will generate a custom token after signing in user using firebase client SDK and then it will create a custom token using admin SDK after checking IPs which are stored in RTDB.
Now with every subsequent call client will send token and functions will serve the request.
I have event listeners bound with the RTDB on a client and use file upload using client SDK which client initialize with firebaseApp.auth().signInWithCustomToken(custom token).
On the function side I use the same sign in the method that also utilizes my firebase SDK and then I serve that request. The problem here is this sign in the method is very slow like it is taking generally more than 1 second only in sign in.
Alternative
Now alternative is I can use id token which can be created using currentUser.getIdToken() on the client side itself and it takes barely few ms to decode that token but I cannot initialize SDK with that token. so I have to use admin SDK but my IP node in RTDB is not accessed by the normal user and can only be accessed with admin SDK, so if I use ADMIN SDK with Control Access with Custom Claims and Security Rules to give admin SDK similar access that the authorized user has then IP node will not be accessible.
Issues with id token
Id token can be refreshed on the client side so once a client has a custom token, It can generate as many tokens it wants and that is not desirable. Apart from that validating IP everytime is not the operation that I wanted to do so with custom token I only use that in generating a custom token and then for a refreshing token but with id token, this would not be possible as the client can generate it with SDK.
Basically, I have to use firebase SDK on the client side which will need custom token(for additional authorization check) to initialize and at the same time I call the clound function from the similar app so what is the best way to implement this use case.

Related

Authentication for the Firebase Cloud Function-based API with API key and OAuth - getting the uid in from the request

I'm working on the custom express API based on the single Cloud Function and I'd like to secure the endpoints with the authentication. I'm aiming for implementing the API key flow and OAuth 2.0 authorization code flow. In my endpoint functions I'd need to obtain the user id somehow and I was wandering how can I archive that. Should I mix Firebase Token (createCustomToken) with these auth flows? e.g in the API key flow when user generates a new token on the frontend then on the backend I should create a Firebase Token instead of custom hashed token and store it in db?
Any ideas how to do it properly, maybe are there any other/better ways to retrieve the uid?

firebase using claims in custom tokens

firebase claims are used to control user permissions across firbase services like firestore rtdb storage .
I have 2 options
create-custom-tokens and firebase auth custom claims
is the claims in the custom-tokens are also limited to the same 1000 bytes size as the built-in option ??
can I just have an http trigger to the cloud function to create a custom token when needed from the frontend and use that token(that includes the custom claims) in any transaction that require user permission like upload a photo on a specific route. As the latest sdk allows to call the function without any boilerplate for HTTP client libraries is that feasible??
Claims on custom tokens are not size limited. But you can't exactly use custom tokens the way you've proposed. Only thing you can do with a custom token is to sign in with it on a client app: https://firebase.google.com/docs/auth/admin/create-custom-tokens#sign_in_using_custom_tokens_on_clients
However, once you perform the sign in, you can use the resulting ID token to perform any operation you need. That is the ID token will have the custom claims set on it.

Firebase: REST API Auth via Query Parameter w Custom Token?

I have 20 enpoints that HTTP POST to my realtime database using the query parameter "auth":"<db secret>" and this works but I need to restrict access based on group. There are 2 groups of 10 endpoints.
These (particle.io) endpoints can be hardcoded with the URL to POST to, query parameters, custom headers, etc, but I don't believe they can handle an HTTP response (get the token to use) without some additional firmware level coding.
Is it possible for me to manually mint a persistent (lifetime:0) token using the Firebase Admin SDK that I can then configure in my endpoint?
You can mint a custom token using Admin SDKs, but they are meant to be exchanged for an ID token, which is what you must present when accessing the Firebase database. Plus, both custom tokens and ID tokens are short-lived (1 hour TTL).
If possible, you can run the Admin SDK directly on your devices with its privileges restricted via database auth overrides. But this is not usually recommended, since the users on the device can simply disable that.
I think you will have to make some HTTP calls from your devices, if you're to make this work with access tokens.

does firebase custom authentication require that you manage refresh tokens for web clients?

For firebase, I'm using custom authentication because our organization uses CAS for single sign on.
Does custom authentication handle refresh jwt tokens automatically or would I need to develop a refresh workflow within my app?
I am not creating custom tokens using a third party library. My token is created via var token = firebase.auth().createCustomToken(uid, additionalClaims) as described on https://firebase.google.com/docs/auth/server/create-custom-tokens. But this page doesn't mention anything about refresh tokens.
My clients are mainly web, and I've found notes that if you use the Android SDK, this refresh happens automatically. But I'm unsure about refresh tokens and web clients for custom authentications.
After you create the custom token using createCustomToken, you pass that token to the web client and call firebase.auth().signInWithCustomToken(token). The promise returned will resolve with a firebase User. The onAuthStateChanged listener will trigger as expected. A firebase Id token will be available. The token will be refreshed every hour and will be handled by the Firebase SDK. Anytime you call a user method or getToken on user, the token will be automatically refreshed if the old one was expired.

How can I create a firebase user from the node.js client

How can I create a firebase user from the node.js client? I see that there is a simple-login but that looks to be used from the web browser. I would like to authenticate with my firebase secret and then call the createuser api somehow.
The way my system is built the clients only send requests to the backend for processing. This way I have a log of every action taken by every user and I can guarantee that each alteration is applied to my other databases as well before it makes it into firebase. Also I do not want users to be able to create other users. Firebase is just a workqueue for me mostly but I am also using the simple login to verify the user then swapping them over to a login token afterwards to get the ability to check custom permissions in the auth on security rules.

Resources